The state of business continuity and disaster recovery planning is dismal in most organizations and nonexistent in many. Most plans in place simply won’t work. This is not surprising since disaster recovery hasn't been given sufficient consideration; until now, it's been among CIOs’ lower priorities.
The terms business continuity and disaster recovery are used interchangeably in the industry, but are not exactly the same. We view the terms in a hierarchical perspective for the purposes of ensuring continuity of your key business processes, delivery services, and IT services. IT disaster recovery is a significant component of business continuity, but you must consider more when planning for expected events.
In an emergency, there are many continuity requirements within the organization’s business and services covering processes, facilities, personnel, and others. IT and a variety of business units across the organization must work in concert, both in planning for continuity and in its execution.
Today, the disaster recovery capabilities in many organizations contribute little to their real objectives and operations. But with rising threats to our socio-politico-economic infrastructures, government and business leaders are more aware of their dependencies and risks regarding information technology. They're recognizing the extent of their vulnerabilities, and are becoming more amenable to allocating resources to reduce their risks. There is now a window of opportunity to gain control of business continuity and disaster recovery and build programs that contribute to desired business outcomes.
When organizations think about disaster recovery, they commonly think about technology—tape backup systems, storage systems, and hot sites. Technology, particularly high availability technology, is an important part of business continuity and disaster recovery. However, there is more—much more. You need a way to ensure that plans are relevant and realistic, accurate and up to date, workable and manageable, and cost-effective.
You'll want to build and manage a process to ensure that business continuity strategies, plans, and procedures are always appropriate. You'll have to manage business continuity as a service to ensure the business gets what it needs, when it needs it, at a reasonable cost. To do so, you'll need to help the business define the components depicted in Figure A.
The business continuity framework is a way to ensure that key aspects of the business, service delivery, and technology infrastructure, including the business continuity process, are assessed, built, and managed in a comprehensive and logical manner by placing emphasis on process, technology, and organization.
The diagram shows one manifestation of the assess-build-manage model. Key components of the business continuity framework include the following.
Business impact analysis
Business continuity planning depends on a clear understanding of business processes and data and associated risks. The business continuity process formalizes procedures to (1) identify important business processes, data, and technology infrastructure; (2) identify associated risks and impact; and (3) develop scenarios and business continuity strategies. With formal procedures, you can ensure business continuity strategies are evaluated and updated continuously.
Business continuity is a service and must be driven by service levels. These include descriptions of continuous (no downtime allowed) and resilient (some downtime allowed) systems with time-to-restore and point-of-restoration metrics.
To be effective, business continuity planning must be an integral part of the applications and IT infrastructure development processes. For example, policies and procedures need to be in place to ensure that business continuity and high-availability requirements are identified early in the software development lifecycle. Production acceptance procedures also ensure that all required provisions for business continuity (technologies, processes, and organization) are ready and tested before applications are released for production.
Like any other critical application and IT infrastructure component, business continuity strategies, plans, and documentation are subject to change management. This is the only way to ensure that changes are captured in a timely and accurate way.
Tape backup has always been an important part of disaster recovery, but it is no longer sufficient. It is too slow and cannot handle high volumes of data. With greater emphasis on business continuity, other technologies must be considered. High-availability servers, storage systems, networks, and DBMSs, among others, have prominent roles in many business continuity plans.
Detection and response management
This is the essence of any business continuity plan. It comprises all the guidelines and detailed procedures for emergency decision-making, preparation, initial emergency responses, and system recovery.
Security and business continuity are closely related. Business continuity plans must be reviewed with respect to security policies and requirements.
Roles and responsibilities must be well defined. This covers a variety of technical staff (programmers, administrators, and operators), executive managers (emergency decision makers), facilities managers (power, cooling, cabling), human resources (staff issues and needs), business units (business processes), and external organizations (outsourcers, telcos, and suppliers).
You must make provisions to ensure that appropriate facilities are in place. You must consider guidelines that address high-availability power, cooling, and fire protection systems and facilities that are physically secure. These guidelines must also cover different types of offsite facilities for processing, storage, and workspace.
Systems and data recovery are only part of business continuity planning. There are many logistical issues to consider, before an emergency occurs. You will want to make special provisions for your organization’s staff. They need adequate workspace, furniture, workstations, communications, and supplies. In many cases, you need to make special arrangements for living accommodations, food, personal security, and transportation. You might have to make special arrangements for their families.
Many organizations rarely test their business continuity plans. If they do, it is frequently not adequate. Guidelines and procedures to ensure that testing is frequent, comprehensive, and systematic are a necessity.
Business continuity must be assessed continuously for improvements. Also, it must be audited for compliance with polices and regulations.
In future articles in this series, we'll focus on each of the key components above. We'll describe not only what needs to be done and why, but more importantly, we’ll show you how, with intelligent, practical plans of action.
Harris Kern's Enterprise Computing Institute and Change Technology Solutions, Inc., represent the industry’s leading minds behind the design and implementation of world-class IT organizations.